1 /* 2 * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 package test.java.security.cert; 24 25 import static org.testng.Assert.assertEquals; 26 import static sun.security.x509.GeneralNameInterface.NAME_DIRECTORY; 27 import static sun.security.x509.NameConstraintsExtension.EXCLUDED_SUBTREES; 28 import static sun.security.x509.NameConstraintsExtension.PERMITTED_SUBTREES; 29 30 import java.io.ByteArrayInputStream; 31 import java.io.ByteArrayOutputStream; 32 import java.io.IOException; 33 import java.io.InputStream; 34 import java.math.BigInteger; 35 import java.security.GeneralSecurityException; 36 import java.security.KeyFactory; 37 import java.security.Principal; 38 import java.security.PublicKey; 39 import java.security.cert.CertificateException; 40 import java.security.cert.CertificateFactory; 41 import java.security.cert.X509CertSelector; 42 import java.security.cert.X509Certificate; 43 import java.security.spec.X509EncodedKeySpec; 44 import java.util.Base64; 45 import java.util.Calendar; 46 import java.util.Date; 47 import java.util.HashSet; 48 import java.util.Iterator; 49 import java.util.List; 50 import java.util.Set; 51 52 import org.testng.annotations.Test; 53 54 import sun.security.util.DerInputStream; 55 import sun.security.util.DerOutputStream; 56 import sun.security.util.DerValue; 57 import sun.security.util.ObjectIdentifier; 58 import sun.security.x509.AlgorithmId; 59 import sun.security.x509.AuthorityKeyIdentifierExtension; 60 import sun.security.x509.CertificatePoliciesExtension; 61 import sun.security.x509.DNSName; 62 import sun.security.x509.GeneralName; 63 import sun.security.x509.GeneralNameInterface; 64 import sun.security.x509.GeneralNames; 65 import sun.security.x509.GeneralSubtree; 66 import sun.security.x509.GeneralSubtrees; 67 import sun.security.x509.KeyIdentifier; 68 import sun.security.x509.NameConstraintsExtension; 69 import sun.security.x509.PolicyInformation; 70 import sun.security.x509.PrivateKeyUsageExtension; 71 import sun.security.x509.SubjectAlternativeNameExtension; 72 import sun.security.x509.X500Name; 73 74 /* 75 * @test 76 * @bug 8074931 77 * @summary This class tests the X509CertSelector. The tests check particular criteria 78 * by setting them to a value that should match our test certificate and 79 * ensuring that they do match, then setting them to a value that should not 80 * match our test certificate and ensuring that they do not match. 81 * @modules java.base/sun.security.x509 82 * java.base/sun.security.util 83 */ 84 public class X509CertSelectorTest { 85 /* 86 Certificate: 87 Data: 88 Version: 3 (0x2) 89 Serial Number: 954172088 (0x38df82b8) 90 Signature Algorithm: dsaWithSHA1 91 Issuer: C=us, O=sun, OU=testing 92 Validity 93 Not Before: Mar 27 15:48:08 2000 GMT 94 Not After : Jun 25 14:48:08 2000 GMT 95 Subject: C=us, O=sun, OU=testing, CN=mullan 96 Subject Public Key Info: 97 Public Key Algorithm: dsaEncryption 98 pub: 0 99 P: 0 100 Q: 0 101 G: 0 102 X509v3 extensions: 103 X509v3 Name Constraints: critical 104 0D.B0@.>1.0...U....us1.0 105 ..U. 106 ..sun1.0...U....testing1.0 107 ..U....mullan 108 X509v3 Subject Key Identifier: 109 56:E8:88:AE:9D:B5:3F:2B:CB:A0:4C:4B:E2:87:53:07:33:77:1B:DF 110 X509v3 Authority Key Identifier: 111 keyid:8E:DD:AF:6F:EE:02:12:F4:61:E9:2F:E3:64:1A:6F:71:32:25:20:C0 112 113 X509v3 Subject Alternative Name: 114 email:mullan@east.sun.com 115 X509v3 Private Key Usage Period: 116 Not Before: Jan 1 05:00:00 2000 GMT, Not After: Jan 1 05:00:00 2001 GMT 117 X509v3 Key Usage: critical 118 Digital Signature 119 X509v3 Certificate Policies: 120 0$0\..*...0.0...+.......0.. 121 Testing... 122 Signature Algorithm: dsaWithSHA1 123 r: 124 44:c7:35:40:5d:6c:28:75:7f:73:b2:f8:0d:72:6c: 125 09:65:b8:81:14 126 s: 127 76:79:f5:c7:37:3b:0d:9b:db:70:2f:20:80:36:e3: 128 80:e8:a6:c6:71 129 */ 130 private static final String testCert = 131 "-----BEGIN CERTIFICATE-----\n" + 132 "MIICLjCCAeygAwIBAgIEON+CuDALBgcqhkjOOAQDBQAwLTELMAkGA1UEBhMCdXMx\n" + 133 "DDAKBgNVBAoTA3N1bjEQMA4GA1UECxMHdGVzdGluZzAeFw0wMDAzMjcxNTQ4MDha\n" + 134 "Fw0wMDA2MjUxNDQ4MDhaMD4xCzAJBgNVBAYTAnVzMQwwCgYDVQQKEwNzdW4xEDAO\n" + 135 "BgNVBAsTB3Rlc3RpbmcxDzANBgNVBAMTBm11bGxhbjAcMBQGByqGSM44BAEwCQIB\n" + 136 "AAIBAAIBAAMEAAIBAKOCASMwggEfMFAGA1UdHgEB/wRGMESgQjBApD4xCzAJBgNV\n" + 137 "BAYTAnVzMQwwCgYDVQQKEwNzdW4xEDAOBgNVBAsTB3Rlc3RpbmcxDzANBgNVBAMT\n" + 138 "Bm11bGxhbjAdBgNVHQ4EFgQUVuiIrp21PyvLoExL4odTBzN3G98wHwYDVR0jBBgw\n" + 139 "FoAUjt2vb+4CEvRh6S/jZBpvcTIlIMAwHgYDVR0RBBcwFYETbXVsbGFuQGVhc3Qu\n" + 140 "c3VuLmNvbTArBgNVHRAEJDAigA8yMDAwMDEwMTA1MDAwMFqBDzIwMDEwMTAxMDUw\n" + 141 "MDAwWjAPBgNVHQ8BAf8EBQMDB4AAMC0GA1UdIAQmMCQwIgYEKoSAADAaMBgGCCsG\n" + 142 "AQUFBwICMAwSClRlc3RpbmcuLi4wCwYHKoZIzjgEAwUAAy8AMCwCFETHNUBdbCh1\n" + 143 "f3Oy+A1ybAlluIEUAhR2efXHNzsNm9twLyCANuOA6KbGcQ==\n" + 144 "-----END CERTIFICATE-----\n" + 145 ""; 146 147 private static final String testKey = 148 "MIIBtjCCASsGByqGSM44BAEwggEeAoGBAIVWPEkcxbxhQRCqVzg55tNqbP5j0K4kdu4bkmXvfqC5\n" + 149 "+qA75DvnfzsOJseb+9AuKXWk/DvCzFDmrY1YaU3scZC3OQEO9lEO3F4VDKOaudY6OT1SI22pAIwz\n" + 150 "j5pvq+i7zOp4xUqkQUeh/4iQSfxOT5UrFGjkcbnbpVkCXD/GxAz7AhUAjtnm3dVIddUUHl6wxpZ7\n" + 151 "GcA6gSsCgYAf/PXzQtemgIDjpFrNNSgTEKkLposBXKatAM+gUKlMUjf8SQvquqPxDtRrscGjXkoL\n" + 152 "oTkaR7/akULYFpBvUcFkeIFiCnJg8M9XhCWdLvn9MPt+jR2oxookvCb9xLtD6WvIM/wd/nZ1iK4u\n" + 153 "iY1+q85xvns/Awbtwl7oZDAwE2TUKAOBhAACgYBDc9UZ+3xsZubUZvRG5cpyJceYpJp2exOPVJXn\n" + 154 "jR4CcR+cT9bAJpFSxqE/8KtNHXxHdu4f3DU67IMOVDpugzihyzXJvNm3w2H9x+6xczHG2wjvAJeh\n" + 155 "X62EWbUatxPXFAoVKZWuUbaYaZzdWBDtNRrCuKKsLo0GFy8g2BZISuD3jw==\n" + 156 ""; 157 158 // Certificate to run tests on 159 private final X509Certificate cert; 160 161 // BEGIN Android-removed: Not needed with testng 162 /* 163 public static void main(String[] args) throws Exception { 164 X509CertSelectorTest test = new X509CertSelectorTest(); 165 test.doTest(); 166 } 167 */ 168 // END Android-removed: Not needed with testng 169 X509CertSelectorTest()170 public X509CertSelectorTest() throws CertificateException, IOException { 171 cert = (X509Certificate) CertificateFactory.getInstance("X.509") 172 .generateCertificate(new ByteArrayInputStream(testCert.getBytes())); 173 } 174 175 // Runs the test. 176 // BEGIN Android-removed: Not needed with testng 177 /* 178 private void doTest() throws Exception { 179 System.out.println("START OF TESTS FOR " + "X509CertSelector"); 180 181 testSerialNumber(); 182 testIssuer(); 183 testSubjectKeyIdentifier(); 184 testAuthorityKeyIdentifier(); 185 testCertificateValid(); 186 testPrivateKeyValid(); 187 testSubjectPublicKeyAlgID(); 188 testKeyUsage(); 189 testSubjectAltName(); 190 testPolicy(); 191 testPathToName(); 192 testSubject(); 193 testSubjectPublicKey(); 194 testNameConstraints(); 195 testBasicConstraints(); 196 testCertificate(); 197 } 198 */ 199 // END Android-removed: Not needed with testng 200 201 // Tests matching on the serial number contained in the certificate. 202 @Test testSerialNumber()203 public void testSerialNumber() { 204 System.out.println("X.509 Certificate Match on serialNumber"); 205 // bad match 206 X509CertSelector selector = new X509CertSelector(); 207 selector.setSerialNumber(new BigInteger("999999999")); 208 checkMatch(selector, cert, false); 209 210 // good match 211 selector.setSerialNumber(cert.getSerialNumber()); 212 checkMatch(selector, cert, true); 213 } 214 215 // Tests matching on the issuer name contained in the certificate. 216 @Test testIssuer()217 public void testIssuer() throws IOException { 218 System.out.println("X.509 Certificate Match on issuer"); 219 // bad match 220 X509CertSelector selector = new X509CertSelector(); 221 selector.setIssuer("ou=bogus,ou=east,o=sun,c=us"); 222 checkMatch(selector, cert, false); 223 224 // good match 225 selector.setIssuer((cert.getIssuerX500Principal()).getName("RFC2253")); 226 checkMatch(selector, cert, true); 227 } 228 229 /* 230 * Tests matching on the subject key identifier contained in the 231 * certificate. 232 */ 233 @Test testSubjectKeyIdentifier()234 public void testSubjectKeyIdentifier() throws IOException { 235 System.out.println("X.509 Certificate Match on subjectKeyIdentifier"); 236 // bad match 237 X509CertSelector selector = new X509CertSelector(); 238 byte[] b = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 }; 239 selector.setSubjectKeyIdentifier(b); 240 checkMatch(selector, cert, false); 241 242 // good match 243 DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.14")); 244 byte[] encoded = in.getOctetString(); 245 selector.setSubjectKeyIdentifier(encoded); 246 checkMatch(selector, cert, true); 247 } 248 249 /* 250 * Tests matching on the authority key identifier contained in the 251 * certificate. 252 */ 253 @Test testAuthorityKeyIdentifier()254 public void testAuthorityKeyIdentifier() throws IOException { 255 System.out.println("X.509 Certificate Match on authorityKeyIdentifier"); 256 // bad match 257 X509CertSelector selector = new X509CertSelector(); 258 byte[] b = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 }; 259 AuthorityKeyIdentifierExtension a = new AuthorityKeyIdentifierExtension(new KeyIdentifier(b), null, null); 260 selector.setAuthorityKeyIdentifier(a.getExtensionValue()); 261 checkMatch(selector, cert, false); 262 263 // good match 264 DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.35")); 265 byte[] encoded = in.getOctetString(); 266 selector.setAuthorityKeyIdentifier(encoded); 267 checkMatch(selector, cert, true); 268 } 269 270 /* 271 * Tests matching on the certificate validity component contained in the 272 * certificate. 273 */ 274 @Test testCertificateValid()275 public void testCertificateValid() { 276 System.out.println("X.509 Certificate Match on certificateValid"); 277 // bad match 278 X509CertSelector selector = new X509CertSelector(); 279 Calendar cal = Calendar.getInstance(); 280 cal.set(1968, 12, 31); 281 selector.setCertificateValid(cal.getTime()); 282 checkMatch(selector, cert, false); 283 284 // good match 285 selector.setCertificateValid(cert.getNotBefore()); 286 checkMatch(selector, cert, true); 287 } 288 289 /* 290 * Tests matching on the private key validity component contained in the 291 * certificate. 292 */ 293 @Test testPrivateKeyValid()294 public void testPrivateKeyValid() throws IOException, CertificateException { 295 System.out.println("X.509 Certificate Match on privateKeyValid"); 296 // bad match 297 X509CertSelector selector = new X509CertSelector(); 298 Calendar cal = Calendar.getInstance(); 299 cal.set(1968, 12, 31); 300 selector.setPrivateKeyValid(cal.getTime()); 301 checkMatch(selector, cert, false); 302 303 // good match 304 DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.16")); 305 byte[] encoded = in.getOctetString(); 306 PrivateKeyUsageExtension ext = new PrivateKeyUsageExtension(false, encoded); 307 Date validDate = (Date) ext.get(PrivateKeyUsageExtension.NOT_BEFORE); 308 selector.setPrivateKeyValid(validDate); 309 checkMatch(selector, cert, true); 310 311 } 312 getCertPubKeyAlgOID(X509Certificate xcert)313 private ObjectIdentifier getCertPubKeyAlgOID(X509Certificate xcert) throws IOException { 314 byte[] encodedKey = xcert.getPublicKey().getEncoded(); 315 DerValue val = new DerValue(encodedKey); 316 if (val.tag != DerValue.tag_Sequence) { 317 throw new RuntimeException("invalid key format"); 318 } 319 320 return AlgorithmId.parse(val.data.getDerValue()).getOID(); 321 } 322 323 /* 324 * Tests matching on the subject public key algorithm ID component contained 325 * in the certificate. 326 */ 327 @Test testSubjectPublicKeyAlgID()328 public void testSubjectPublicKeyAlgID() throws IOException { 329 System.out.println("X.509 Certificate Match on subjectPublicKeyAlgID"); 330 // bad match 331 X509CertSelector selector = new X509CertSelector(); 332 selector.setSubjectPublicKeyAlgID("2.5.29.14"); 333 checkMatch(selector, cert, false); 334 335 // good match 336 selector.setSubjectPublicKeyAlgID(getCertPubKeyAlgOID(cert).toString()); 337 checkMatch(selector, cert, true); 338 339 } 340 341 // Tests matching on the key usage extension contained in the certificate. 342 @Test testKeyUsage()343 public void testKeyUsage() { 344 System.out.println("X.509 Certificate Match on keyUsage"); 345 // bad match 346 X509CertSelector selector = new X509CertSelector(); 347 boolean[] keyUsage = { true, false, true, false, true, false, true, false }; 348 selector.setKeyUsage(keyUsage); 349 System.out.println("Selector = " + selector.toString()); 350 checkMatch(selector, cert, false); 351 352 // good match 353 selector.setKeyUsage(cert.getKeyUsage()); 354 System.out.println("Selector = " + selector.toString()); 355 checkMatch(selector, cert, true); 356 } 357 358 /* 359 * Tests matching on the subject alternative name extension contained in the 360 * certificate. 361 */ 362 @Test testSubjectAltName()363 public void testSubjectAltName() throws IOException { 364 System.out.println("X.509 Certificate Match on subjectAltName"); 365 // bad match 366 X509CertSelector selector = new X509CertSelector(); 367 GeneralNameInterface dnsName = new DNSName("foo.com"); 368 DerOutputStream tmp = new DerOutputStream(); 369 dnsName.encode(tmp); 370 selector.addSubjectAlternativeName(2, tmp.toByteArray()); 371 checkMatch(selector, cert, false); 372 373 // good match 374 DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.17")); 375 byte[] encoded = in.getOctetString(); 376 SubjectAlternativeNameExtension ext = new SubjectAlternativeNameExtension(false, encoded); 377 GeneralNames names = (GeneralNames) ext.get(SubjectAlternativeNameExtension.SUBJECT_NAME); 378 GeneralName name = (GeneralName) names.get(0); 379 selector.setSubjectAlternativeNames(null); 380 DerOutputStream tmp2 = new DerOutputStream(); 381 name.getName().encode(tmp2); 382 selector.addSubjectAlternativeName(name.getType(), tmp2.toByteArray()); 383 checkMatch(selector, cert, true); 384 385 // good match 2 (matches at least one) 386 selector.setMatchAllSubjectAltNames(false); 387 selector.addSubjectAlternativeName(2, "foo.com"); 388 checkMatch(selector, cert, true); 389 } 390 391 /* 392 * Tests matching on the policy constraints extension contained in the 393 * certificate. 394 */ 395 @Test testPolicy()396 public void testPolicy() throws IOException { 397 System.out.println("X.509 Certificate Match on certificatePolicies"); 398 // test encoding of CertificatePoliciesExtension because we wrote the 399 // code 400 // bad match 401 X509CertSelector selector = new X509CertSelector(); 402 Set<String> s = new HashSet<>(); 403 s.add(new String("1.2.5.7.68")); 404 selector.setPolicy(s); 405 checkMatch(selector, cert, false); 406 407 // good match 408 DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.32")); 409 CertificatePoliciesExtension ext = new CertificatePoliciesExtension(false, in.getOctetString()); 410 List<PolicyInformation> policies = ext.get(CertificatePoliciesExtension.POLICIES); 411 // match on the first policy id 412 PolicyInformation policyInfo = (PolicyInformation) policies.get(0); 413 s.clear(); 414 s.add(policyInfo.getPolicyIdentifier().getIdentifier().toString()); 415 selector.setPolicy(s); 416 checkMatch(selector, cert, true); 417 } 418 419 /* 420 * Tests matching on the name constraints extension contained in the 421 * certificate. 422 */ 423 @Test testPathToName()424 public void testPathToName() throws IOException { 425 System.out.println("X.509 Certificate Match on pathToName"); 426 427 X509CertSelector selector = null; 428 DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.30")); 429 byte[] encoded = in.getOctetString(); 430 NameConstraintsExtension ext = new NameConstraintsExtension(false, encoded); 431 GeneralSubtrees permitted = (GeneralSubtrees) ext.get(PERMITTED_SUBTREES); 432 GeneralSubtrees excluded = (GeneralSubtrees) ext.get(EXCLUDED_SUBTREES); 433 434 // bad matches on pathToName within excluded subtrees 435 if (excluded != null) { 436 Iterator<GeneralSubtree> e = excluded.iterator(); 437 while (e.hasNext()) { 438 GeneralSubtree tree = e.next(); 439 if (tree.getName().getType() == NAME_DIRECTORY) { 440 X500Name excludedDN1 = new X500Name(tree.getName().toString()); 441 X500Name excludedDN2 = new X500Name("CN=Bogus, " + tree.getName().toString()); 442 DerOutputStream derDN1 = new DerOutputStream(); 443 DerOutputStream derDN2 = new DerOutputStream(); 444 excludedDN1.encode(derDN1); 445 excludedDN2.encode(derDN2); 446 selector = new X509CertSelector(); 447 selector.addPathToName(NAME_DIRECTORY, derDN1.toByteArray()); 448 checkMatch(selector, cert, false); 449 selector.setPathToNames(null); 450 selector.addPathToName(NAME_DIRECTORY, derDN2.toByteArray()); 451 checkMatch(selector, cert, false); 452 } 453 } 454 } 455 456 // good matches on pathToName within permitted subtrees 457 if (permitted != null) { 458 Iterator<GeneralSubtree> e = permitted.iterator(); 459 while (e.hasNext()) { 460 GeneralSubtree tree = e.next(); 461 if (tree.getName().getType() == NAME_DIRECTORY) { 462 X500Name permittedDN1 = new X500Name(tree.getName().toString()); 463 X500Name permittedDN2 = new X500Name("CN=good, " + tree.getName().toString()); 464 DerOutputStream derDN1 = new DerOutputStream(); 465 DerOutputStream derDN2 = new DerOutputStream(); 466 permittedDN1.encode(derDN1); 467 permittedDN2.encode(derDN2); 468 selector = new X509CertSelector(); 469 selector.addPathToName(NAME_DIRECTORY, derDN1.toByteArray()); 470 checkMatch(selector, cert, true); 471 selector.setPathToNames(null); 472 selector.addPathToName(NAME_DIRECTORY, derDN2.toByteArray()); 473 checkMatch(selector, cert, true); 474 } 475 } 476 } 477 } 478 479 // Tests matching on the subject name contained in the certificate. 480 @Test testSubject()481 public void testSubject() throws IOException { 482 System.out.println("X.509 Certificate Match on subject"); 483 // bad match 484 X509CertSelector selector = new X509CertSelector(); 485 selector.setSubject("ou=bogus,ou=east,o=sun,c=us"); 486 checkMatch(selector, cert, false); 487 488 // good match 489 selector.setSubject(cert.getSubjectX500Principal().getName("RFC2253")); 490 checkMatch(selector, cert, true); 491 } 492 493 // Tests matching on the subject public key contained in the certificate. 494 @Test testSubjectPublicKey()495 public void testSubjectPublicKey() throws IOException, GeneralSecurityException { 496 System.out.println("X.509 Certificate Match on subject public key"); 497 // bad match 498 X509CertSelector selector = new X509CertSelector(); 499 X509EncodedKeySpec keySpec = new X509EncodedKeySpec( 500 Base64.getMimeDecoder().decode(testKey.getBytes())); 501 KeyFactory keyFactory = KeyFactory.getInstance("DSA"); 502 PublicKey pubKey = keyFactory.generatePublic(keySpec); 503 selector.setSubjectPublicKey(pubKey); 504 checkMatch(selector, cert, false); 505 506 // good match 507 selector.setSubjectPublicKey(cert.getPublicKey()); 508 checkMatch(selector, cert, true); 509 } 510 511 // Tests matching on the name constraints contained in the certificate. 512 // TODO(b/203769066): Depends on updated X509Certificate implementation testNameConstraints()513 private void testNameConstraints() throws IOException { 514 System.out.println("X.509 Certificate Match on name constraints"); 515 // bad match 516 GeneralSubtrees subjectTree = new GeneralSubtrees(); 517 subjectTree.add(getGeneralSubtree((X500Name) cert.getSubjectDN())); 518 NameConstraintsExtension ext = new NameConstraintsExtension((GeneralSubtrees) null, subjectTree); 519 X509CertSelector selector = new X509CertSelector(); 520 selector.setNameConstraints(ext.getExtensionValue()); 521 checkMatch(selector, cert, false); 522 523 // good match 524 ext = new NameConstraintsExtension(subjectTree, null); 525 selector.setNameConstraints(ext.getExtensionValue()); 526 checkMatch(selector, cert, true); 527 } 528 529 // Tests matching on basic constraints. 530 @Test testBasicConstraints()531 public void testBasicConstraints() { 532 System.out.println("X.509 Certificate Match on basic constraints"); 533 // bad match 534 X509CertSelector selector = new X509CertSelector(); 535 int mpl = cert.getBasicConstraints(); 536 selector.setBasicConstraints(0); 537 checkMatch(selector, cert, false); 538 539 // good match 540 selector.setBasicConstraints(mpl); 541 checkMatch(selector, cert, true); 542 } 543 544 // Tests certificateEquals criterion 545 @Test testCertificate()546 public void testCertificate() { 547 System.out.println("X.509 Certificate Match on certificateEquals criterion"); 548 549 X509CertSelector selector = new X509CertSelector(); 550 // good match 551 selector.setCertificate(cert); 552 checkMatch(selector, cert, true); 553 } 554 checkMatch(X509CertSelector selector, X509Certificate cert, boolean match)555 private void checkMatch(X509CertSelector selector, X509Certificate cert, boolean match) { 556 boolean result = selector.match(cert); 557 assertEquals(result, match, 558 selector + " match " + cert + " is " + result + ", but expect " + match); 559 } 560 getGeneralSubtree(GeneralNameInterface gni)561 private static GeneralSubtree getGeneralSubtree(GeneralNameInterface gni) { 562 // Create a new GeneralSubtree with the specified name, 0 base, and 563 // unlimited length 564 GeneralName gn = new GeneralName(gni); 565 GeneralSubtree subTree = new GeneralSubtree(gn, 0, -1); 566 return subTree; 567 } 568 } 569